Yesterday, Tender.fi, a decentralized lending and borrowing platform on Arbitrum, experienced unusual activity. It immediately informed its customers in a Twitter post:
"We are investigating an unusual amount of borrows that came through the protocol - in the meantime, we have paused all borrowing. Thank you for your patience."
After $1.59 million worth of assets had been borrowed, the company received an on-chain message that said, "it looks like your oracle was misconfigured. Contact me to sort this out."
It turned out that the attacker exploited a glitch that had affected Tender.fi’s price oracle, the bridge that transmits price data to the blockchain. This allowed the hacker to borrow $1.59 million from the protocol against a deposit of a single GMX token worth about $71 at the time of writing.
"The White Hat will repay all loans minus 62.158670296 ETH, which will be kept as a Bounty for helping secure the protocol. The Tender.fi Team will repay the Bounty’s value to the protocol so that there will be no bad debt and users will remain unaffected," Tender.fi posted the translation of the message on Twitter yesterday.
The attacker was willing to repay the loans in exchange for a reward of about 6% of the total stolen funds. The hacker sent the money back to Tender.fi the same day.
"The actor has completed the loan repayments. Funds are officially SaFu, post mortem on the way," Tender.fi posted on Twitter.
While many Twitter users praised both the Tender.fi team and the hacker, seeing the lending platform's decision as proof of their credibility and trustworthiness, the relative simplicity of the hack also raised security concerns.
For instance, Twitter user Cryptovietnam.stark believes that more information should be provided about the technical side of the hack and preventative measures for the future, saying that "if there is no clearly full picture, an investor cannot throw big money to your pools."
The use of price oracles by blockchains is associated with several risks. One of the most common issues is token price manipulation, which can affect DeFi services based on protocols that receive the spot price directly from a decentralized exchange (DEX).
Since the latest reported price is often delayed by at least several seconds, there is a risk of a flash loan attack on the protocol. Furthermore, there is a centralization risk of compromising a private key from a privileged account.
"Currently, there isn’t really a known decentralized method of getting trustworthy price info on-chain in a way that is both fast and prohibitively expensive to manipulate. For example, Augur is decentralized and prohibitively expensive to manipulate, but too slow for price updates. Chainlink, Provable are fast but cheap to manipulate (simply attack the websites they query). Therefore, the median of multiple trusted third parties is the de facto ‘standard,’" Extropy.IO, a blockchain consulting and auditing company, explained in its blog post.